1798.90.4.
The following definitions shall apply for purposes of this title:(a) “Precise geolocation data” means any data that is derived from a device and that is used or intended to be used to locate a person within a radius equal to or less than 1,850 feet around that person.
(b) “Person” means any natural person, partnership, firm, association, corporation, limited liability company, or other legal entity.
(c) “Public agency” means the state, any city, county, or city and county, or any agency or political subdivision of the state or of a city, county, or city and county, including, but not limited to, a law enforcement agency.
(d) “Consent” means any freely given, specific, informed, and unambiguous indication of the person’s wishes, including by a statement or by a clear affirmative action, by which the person, or the person’s legal guardian, another person who has power of attorney for the person, or another person acting as a conservator for the person, signifies agreement to the collection of precise geolocation data for a specific purpose communicated by a public agency. Acceptance of a general or broad terms of use, or similar document, that contains generalized purposes for collecting precise geolocation data, or unrelated information, does not constitute consent. Consent may not be obtained through third parties. Consent may be revoked at any time by a person, the person’s legal guardian, another person who has power of attorney for the person, or another person acting as a conservator for the person.
1798.90.41.
A public agency that collects precise geolocation data shall do all of the following:(a) Obtain lawful permission to collect precise geolocation data prior to the collection of that precise geolocation data and maintain that permission for the duration of the collection of the precise geolocation data. Lawful permission includes any collection in conformity with the California Electronic Communications Privacy Act (Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code), or any of the following:
(1) A subpoena or court order for the particular device from which precise geolocation data is derived.
(2) A search warrant
for the particular device from which precise geolocation data is derived.
(3) Consent of the person who possesses the device from which precise geolocation data is derived.
(b) Maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect precise geolocation data from unauthorized access, destruction, use, modification, or disclosure.
(c) (1) Implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing, and dissemination of precise geolocation data is consistent with respect for individuals’ privacy and civil liberties. The usage and privacy policy shall be available to the public in writing, and, if the public agency has an internet website, the usage and privacy policy shall
be posted conspicuously on that internet website.
(2) The usage and privacy policy shall, at a minimum, include all of the following:
(A) The authorized purposes for using the precise geolocation data and collecting precise geolocation data.
(B) A description of the job title or other designation of the employees and independent contractors who are authorized to use or access the precise geolocation data, or to collect precise geolocation data. The policy shall identify the training requirements necessary for those authorized employees and independent contractors.
(C) A description of how the precise geolocation data will be monitored to ensure the security of the information and compliance with applicable privacy laws.
(D) The title of the official custodian, or owner, of the precise geolocation data responsible for implementing this section.
(E) A description of the reasonable measures that will be used to ensure the accuracy of precise geolocation data and correct data errors.
(F) The length of time precise geolocation data will be retained, and the process the public agency will utilize to determine if and when to destroy retained precise geolocation data.
(G) The process by which a person may revoke their consent to the collection of precise geolocation data.
1798.90.45.
Notwithstanding any other law or regulation:(a) A public agency that collects or intends to collect precise geolocation data shall provide an opportunity for public comment at a regularly scheduled public meeting of the governing body of the public agency before collection begins.
(b) A public agency shall not sell, share, or transfer precise geolocation data, other than to comply with a lawful court order. For purposes of this section, the provision of data hosting shall not be considered the sale, sharing, or transferring of precise geolocation data.